PDA

View Full Version : Security Update 2006-008 Available




MacRumors
Dec 19, 2006, 04:06 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Apple has released Security Update 2006-008 (http://www.apple.com/support/downloads/securityupdate2006008universal.html) for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.

It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off.

More detailed information can be found via this tech note (http://docs.info.apple.com/article.html?artnum=304916).



longofest
Dec 19, 2006, 04:07 PM
I knew having a non-turn-offable camera would come back to haunt Apple. At least this vulnerability was fixed, but I wonder if there are other back-doors. Will MOAB (http://www.macrumors.com/pages/2006/12/20061219163104.shtml) find any???

mkrishnan
Dec 19, 2006, 04:10 PM
Is this Quicktime vulnerability related in any way to the infamous MySpace quicktime vulnerability?

longofest
Dec 19, 2006, 04:11 PM
Is this Quicktime vulnerability related in any way to the infamous MySpace quicktime vulnerability?

Doesn't look like it.

IEatApples
Dec 19, 2006, 04:16 PM
Hehe... Scary bug. :)

Oh, and it's 2,7 MB on my iMac G5, and you need to restart!

aspro
Dec 19, 2006, 04:18 PM
Haha, any hacker would get a very uninteresting shot out of my built-in iSight.

It's 2.7mb on my Macbook as well.

longofest
Dec 19, 2006, 04:24 PM
Heh... says 1.5 MB on Apple's site. Fixed the article to be more arbitrary. Size doesn't matter ;)

mainstreetmark
Dec 19, 2006, 04:29 PM
This might be the only case I ever heard of where you can say "I didn't really fix the bug, but I put a bandaid on it" (over the camera lense)

nagromme
Dec 19, 2006, 04:47 PM
It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.

plinden
Dec 19, 2006, 04:53 PM
Could people read the description on Apple's website (http://docs.info.apple.com/article.html?artnum=304916) carefully and tell me if I'm totally wrong in thinking that this has nothing at all to do with iSight, and everything to do with being able to retrieve images that are being rendered on screen by Quicktime?

And is it a new policy now for Apple to provide plenty of details about the fix, even if it's being misunderstood (by me or the Macrumors adminstrator who posted this)

Viv
Dec 19, 2006, 04:54 PM
Such a little update for such a big issue:-)

Installed ok seemed to boot faster and Safari seems snappier;-)

longofest
Dec 19, 2006, 04:55 PM
It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.

That is theoretically correct. Basically, that's what Steve said when he introduced the built-in version without the Iris. However, I hesitate to say 100% definitive statements like "no way". For instance, what if the LED actually burns out or looses contact? The hardware may still be sending the signal for it to turn on, but I don't know if it would be smart enough to realize that the LED isn't operating correctly and therefore the iSight shouldn't operate. In such a case, you may see the iSight work and the LED not illuminate.

I'm just hypothesizing, but trying to prove my point that its dangerous to say 100% definitive things :)

banjomamo
Dec 19, 2006, 04:55 PM
I bought my mom an iMac a month ago and she specifically asked me if something like this could happen. Mothers always know.

longofest
Dec 19, 2006, 05:00 PM
Could people read the description on Apple's website (http://docs.info.apple.com/article.html?artnum=304916) carefully and tell me if I'm totally wrong in thinking that this has nothing at all to do with iSight, and everything to do with being able to retrieve images that are being rendered on screen by Quicktime?

You have to read into what they are saying a bit. The update is for both QuickTime AND Quartz Composer. Quartz Composer can be used to control an iSight, so when you use it in conjunction with Quicktime, you could actually write an applet on a webpage that displays your iSight imagery. Now, theoretically those images should only be viewable on your screen and not accessible to the remote web server, but the vulnerability was that Quicktime for Java could actually grab the Quartz Composer images. Thus, it could grab your iSight images.

If you have an iSight, you can go to the following website to see how Quartz Composer can control your iSight on a website. Its OReilly's site, so while I can't 100% guarantee that it doesn't contain malicious code, I think we should be pretty safe. At least, the site doesn't appear to use Quicktime for Java, which is where the vulnerability is. http://www.oreillynet.com/lpt/wlg/7409

IEatApples
Dec 19, 2006, 05:03 PM
I'm just hypothesizing, but trying to prove my point that its dangerous to say 100% definitive things :)
But you're not 100% sure? :D ;)

840quadra
Dec 19, 2006, 05:04 PM
You could always use White out, or a white strip of tape..

I have only "used" my iSight camera on my macbook once. Otherwise it is wasted hardware. :(

IEatApples
Dec 19, 2006, 05:06 PM
You could always use White out, or a white strip of tape..

I have only "used" my iSight camera on my macbook once. Otherwise it is wasted hardware. :(
NOT TRUE!

I use my iSight all the time.

longofest
Dec 19, 2006, 05:10 PM
But you're not 100% sure? :D ;)

I'm about 95%

840quadra
Dec 19, 2006, 05:16 PM
NOT TRUE!

I use my iSight all the time.

That's fine, and good for you :)

I was actually talking about my isight in my MacBook ;) .

I'm about 95%

Now, how unsure are you about the other 5% ?

IEatApples
Dec 19, 2006, 05:18 PM
That's fine, and good for you :)

I was actually talking about my isight in my MacBook ;) .:D Sorry!!! :p ;)

japanime
Dec 19, 2006, 05:20 PM
I use my MacBook in closed-lid mode, attached to an iSight-less external monitor.

Problem solved! :D

SiliconAddict
Dec 19, 2006, 05:32 PM
I knew having a non-turn-offable camera would come back to haunt Apple.

Who cares? seriously. The light comes on, on the camera when its on. In any case you will know when its in use.

SeaFox
Dec 19, 2006, 05:51 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Apple has released Security Update 2006-008 (http://www.apple.com/support/downloads/securityupdate2006008universal.html) for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.

It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off.

In related news, it has been announced the Month of OSX Bugs will not start until January 2nd, but will still end January 31st.

SeaFox
Dec 19, 2006, 06:00 PM
It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.

Since the camera only has to be on long enough to capture an image, it could take a still image and only be on as long as the "shutter", which might be hard to catch if you're not paying attention. One of those things where you might "think you saw it" but then convince yourself you were imagining things.

DavidLeblond
Dec 19, 2006, 06:03 PM
That's fine, and good for you :)

I was actually talking about my isight in my MacBook ;) .


I use your iSight all the time.

Which reminds me, don't download that software update please, you're interesting to watch.

Peace
Dec 19, 2006, 06:05 PM
WOW! This update works GREAT!

I can see everyone on MacRumors now..How cool!! :p

thevessels
Dec 19, 2006, 06:16 PM
i guess this isnt relevant to codes like this :

http://homepage.mac.com/cancermac/dyerhaus/images/hi.mov

too bad , those freak me out , ha

iowamensan
Dec 19, 2006, 06:22 PM
I just wish Remote Desktop had the ability to view the iSight image. In a lab situation, I can already watch what they have on the screen, let me see who is sitting at it.

fowler.
Dec 19, 2006, 06:24 PM
images aren't loading for me in safari.. nice.

even after a restart.. not even webkit. fack.

SeaFox
Dec 19, 2006, 06:30 PM
I just wish Remote Desktop had the ability to view the iSight image. In a lab situation, I can already watch what they have on the screen, let me see who is sitting at it.

That's a pretty cool idea, but I think most users would find it a bit too Orwellian.

MrCrowbar
Dec 19, 2006, 07:13 PM
Since the camera only has to be on long enough to capture an image, it could take a still image and only be on as long as the "shutter", which might be hard to catch if you're not paying attention. One of those things where you might "think you saw it" but then convince yourself you were imagining things.

I googled a tool that does this a while ago. It has the light lit for just one second and it took a good picture. I could imagine a tool that takes your picture only when you're not actively using your computer. Imagine a screensaver that uploads the iSight input once in a while.

brepublican
Dec 19, 2006, 07:54 PM
Such a little update for such a big issue:-)

Installed ok seemed to boot faster and Safari seems snappier;-)

You forgot to add the 'TM' notice at the end of that one :)

eric_n_dfw
Dec 19, 2006, 08:16 PM
I just wish Remote Desktop had the ability to view the iSight image. In a lab situation, I can already watch what they have on the screen, let me see who is sitting at it.

That should be pretty easy to do for them since the new iChat in 10.5 will have a similar functionality.

Whistleway
Dec 19, 2006, 08:43 PM
I bought my mom an iMac a month ago and she specifically asked me if something like this could happen. Mothers always know.

lol.. good one.

mattster16
Dec 19, 2006, 08:52 PM
I just wish Remote Desktop had the ability to view the iSight image. In a lab situation, I can already watch what they have on the screen, let me see who is sitting at it.

I see your point, most computer labs already have cameras, so this is just another. It is still a little creepy though to think someone could be looking at you...face on from 3 feet away.

runninmac
Dec 19, 2006, 09:05 PM
So my MacBook is stuck on the start up screen after this update. Help anyone?

karlfranz
Dec 19, 2006, 10:52 PM
I see your point, most computer labs already have cameras, so this is just another. It is still a little creepy though to think someone could be looking at you...face on from 3 feet away.

Isn't that exactly what happens every time you use an ATM? :p

Links
Dec 20, 2006, 01:52 AM
Applied the security update and the O'Reilly page

http://www.oreillynet.com/lpt/wlg/7409

STILL captures my web cam, not an iSight. Live video, not just a still.
iChat is not running and no images on my desktop.
Using a DV Camcorder as web cam.
Not only that, but it captures the live video output of my BlackMagic video capture card when I'm not using a camera!!

koobcamuk
Dec 20, 2006, 03:22 AM
Hehe... Scary bug. :)

Oh, and it's 2,7 MB on my iMac G5, and you need to restart!

My iMac doesn't have an iSight so I won't be doing this. My uptime is 16 days on the iMac and 21 days on the MacBook so I won't be doing this. I couldn't give a damn if someone watched me on my MacBook anyway. They'd see my office and that's about. Occasionally the side of my head.

My girlfriend doesn't like the black dot at the top (the actual isight) so she covered hers up with a white sticker.:D

eenu
Dec 20, 2006, 04:22 AM
same here!

Applied the security update and the O'Reilly page

http://www.oreillynet.com/lpt/wlg/7409

STILL captures my web cam, not an iSight. Live video, not just a still.
iChat is not running and no images on my desktop.
Using a DV Camcorder as web cam.
Not only that, but it captures the live video output of my BlackMagic video capture card when I'm not using a camera!!

frenchy
Dec 20, 2006, 04:38 AM
Talking about privacy... couldn't there be similar issues with the built-in microphone ?

invalidname
Dec 20, 2006, 05:08 AM
Applied the security update and the O'Reilly page

http://www.oreillynet.com/lpt/wlg/7409

STILL captures my web cam, not an iSight. Live video, not just a still.
iChat is not running and no images on my desktop.
Using a DV Camcorder as web cam.
Not only that, but it captures the live video output of my BlackMagic video capture card when I'm not using a camera!!

Hi. I'm Chris Adamson, the author of the blog you're quoting, and I want to clarify that the blog does not constitute a test of the exploit. It will continue to work even after you've applied the security patch.

The page does one thing: it shows that a Quartz Composer composition can turn on your camera. This is not a security issue in and of itself, because the image from the camera is only used locally (ie, shown in the web page). This example uses the QuickTime plug-in to put the Quartz Composer composition, saved as a QuickTime "movie", in a web page.

The actual exploit uses a second technology, QuickTime for Java, to load the Quartz Composer movie into a Java applet. Once it does this, the applet can then get the image from the camera and then upload it to a server.

Apple's security fix only disallows this combination. It prohibits "unsigned" applets (those that don't assert the identity of their authors and ask for insecure access to the system) from loading Quartz Composer compositions. Therefore, the applet cannot load the movie that turns on your camera. Note that signed applets, and full-blown double-clickable QTJ applications, are assumed to have full access to your system and thus can still load QC compositions.

So now you know. And knowing is half the battle. :D

--Chris

madmax_2069
Dec 20, 2006, 05:37 AM
So now you know. And knowing is half the battle. :D

--Chris

GI-JOE

i had to :D

i hope that all of this will make apple to make OS X more secure. the bad is that some one could use this before apple has released a patch for it. but its good to se apple did do something with this one as soon as they could. the only thing that worries me of this is a security update breaking something and or not allowing OS X to properly function or boot up. but all seems good so far that apple is on top of things. i dont have a iSite but i do have a web cam.

savar
Dec 20, 2006, 09:35 AM
However, I hesitate to say 100% definitive statements like "no way". For instance, what if the LED actually burns out or looses contact?

I agree in principle. "100%" statements are NEVER true.

But....the LED is one of the last things that will fail in your computer. LEDs -- operated under proper electrical conditions -- have absurd lifespans. The electrolytic caps on your mobo will fail decades before that LED burns out.

Edit: I'm using IE7 here at work to post this....For some reason when you select text in IE7, it expands your selection to the right, and whenever I'm editing a QUOTE block it chops of the "[/" of the closing tag. This happens on *every* forum I read because they all use the same markup syntax....its so annoying. I'm constantly having to edit posts to put those two characters back in.

longofest
Dec 20, 2006, 10:33 AM
Hi. I'm Chris Adamson, the author of the blog you're quoting, and I want to clarify that the blog does not constitute a test of the exploit. It will continue to work even after you've applied the security patch.

The page does one thing: it shows that a Quartz Composer composition can turn on your camera. This is not a security issue in and of itself, because the image from the camera is only used locally (ie, shown in the web page). This example uses the QuickTime plug-in to put the Quartz Composer composition, saved as a QuickTime "movie", in a web page.

The actual exploit uses a second technology, QuickTime for Java, to load the Quartz Composer movie into a Java applet. Once it does this, the applet can then get the image from the camera and then upload it to a server.

Apple's security fix only disallows this combination. It prohibits "unsigned" applets (those that don't assert the identity of their authors and ask for insecure access to the system) from loading Quartz Composer compositions. Therefore, the applet cannot load the movie that turns on your camera. Note that signed applets, and full-blown double-clickable QTJ applications, are assumed to have full access to your system and thus can still load QC compositions.

So now you know. And knowing is half the battle. :D

--Chris

Thanks for clearing that up, Chris. I was about to, but I guess its a bit more authoritative coming from you :)

LastZion
Dec 20, 2006, 01:45 PM
anyone elses airport wack now? Mine is terrible, disconnects all day. I have done a few reboots since, and its terrible.

Windowlicker
Dec 21, 2006, 04:08 AM
The first time I got problems from a security update (I assume it's the update that's doing this):

a) Computer doesn't sleep anymore; the fans keep spinning and the computer doesn't respond to anything.

b) Volume control buttons don't function anymore. The system recognizes if they're pressed (visual sign), but they don't do anything.

DAMNIT!

invalidname
Dec 21, 2006, 06:57 AM
Thanks for clearing that up, Chris. I was about to, but I guess its a bit more authoritative coming from you :)

NP. I thought it was an interesting exploit, so I tried to duplicate it, and posted source on a new O'Reilly blog (http://www.oreillynet.com/mac/blog/2006/12/explaining_the_quartz_composer.html), along with a pretty exhaustive explanation.

scott523
Dec 21, 2006, 01:01 PM
This update really sucked. It wiped out the iSight camera off my MacBook! At first I was about to panic and everything but I had to do an SMC reset to get it back. :mad:

Unspeaked
Dec 21, 2006, 01:47 PM
I see your point, most computer labs already have cameras, so this is just another. It is still a little creepy though to think someone could be looking at you...face on from 3 feet away.

So I take it you don't use ATMs then?